I need to increase the security of my android app. Actually my android app. will not be for Google play Store (which provides some licensing options to protect your app.) it will be used for some local companies that used the same app (Desktop app). However, I want to support two versions for my app. which are:
Demo version: for testing aims (after the given period end, the app will stopped!)
Actual version: this if the user want to pay for the app.
What I need:
To increase the security of my app. from installing it another time or on another device for the same user!
For my code I used ProGuard which is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. cause there are many reverse-engineering application that used for unpacking the compiled code and viewing the source code (actually I tried some of them and its really amazing to restore the sourse code from .apk!) ..
I think to use the MAC address of each device the app. installed on and then store it into internal database and generate a number form it (in somehow), then ask user enters it (which I the one who knows this number and provider for it) if it is true, the app run else not. But, it's just idea I do not know how this can happen or even from where I can start or even also if that will help!
I tried also SharedPreferences But this does not help!
Actually I do not need for external database on server to read the username or the password for eligible users for app. I need to do that by my app. itself!
In sum please,
How can I protect my app from installing many times for same user or continuing using after testing period ends, etc. (I mean make it more secure)!
any ideas, any suggestions, any useful examples or sites are also desirable.
Sorry for this long question,
Related
I've seen a number of similar questions posed but for the sake of specificity — is possible to do an update to an existing app without losing the end users existing information?
The scope of the existing app is:
- Available on iOS and Android
- Stores user data in the app, locally
- The app does not require an internet connection at all
The changes to this app would be:
- Re-skinning
- Fixing technical debt/bugs
- Maybe adding some functionality (such as notifications)
If it can be possible to do an update without losing local data, would the original source code be required? (I'm assuming the answer is "DUH")
Unfortunately I can't share the name of this exact (client request).
Thanks!
is possible to do an update to an existing app without losing the end users existing information?
If you are the developer of the original app, yes. Otherwise, no, at least on Android (and I assume that holds true for iOS as well), for obvious security reasons.
would the original source code be required?
Usually, though presumably you are welcome to reimplement the entire app from scratch if you prefer. The bigger thing — again, on Android at least — is that you need the signing key that was used to digitally sign the original application. You can only update the app if the signing key is the same.
Long story:
My clients want to let a third-party company test my App.
Because I have never heard about this company before, I want to make my App not copyable/data-accessible, in case they try to copy my program or do strange stuff.
In few words, I give them a smartphone with the App already installed and usable, but that's it, they can't do anything more than test it normally like a casual user. Or a way to ask them a password if they try to access to sensible data.
Is there a way to do it?
Short story: I need to make my App not copyable and its data inaccessible from others.
I hope my explantion was exhaustive :)
Thank you all!
A determined hacker will defeat any sort of copy protection you put in place. But what you can do is put enough barriers in place to make their return on investment not worth the time and effort.
Without investing too heavy in security components or investing in a trusted security platform, here are some dirt simple things you can put do in a special one-off build of your app.
Tie this particular build of your app to something specific to the phone you are sharing with them. If the phone's serial number doesn't match, it doesn't work. See this on getting a serial number of an Android device.
If there are data files beyond the program's compiled code that you are trying to protect that is plaintext or not in a custom binary format, simply encrypt it. Decrypt at runtime. Perhaps the password/key is based on the serial number of the device or other nonce unique to the phone. That way, they can't copy data and program to another phone and have it work.
Put a timebomb in place. That is, after a specific date, the app just doesn't work.
On startup, your app accesses a website and downloads a URL. Based on the contents of the URL, the app shuts off.
All of these mechanisms can be defeated by someone that really wants to copy your app or get at your files. But it's sufficient to ward off the casual hacker and to buy time while your app is relevant.
Use licensing options provided by Play Store and Tools like Proguard can make it difficult
You can try StarForce Android Protection that prevents hacking and copying. They offer a month for free. It can be enough for testing. Or just ask for prolongation of trial period if you need.
I am developing an app for IOS/Android/iPad that will be linked to a database. I would like the entire database to be downloaded to the user's device the first time the app is accessed and then updated every three months automatically. I was told by another developer that Apple may not allow an app to be downloaded in its entirety and that it may affect a user's storage capabilities. I was hoping to get some info on this from people who have worked with these issues.
UPDATE
Based on Seva's answer below, I have a follow-up question:
Will a user be able to download any content from the database? I see that they will not be able to update their database in this manner, but can they retrieve other content?
Thank you.
Both iOS and Android have both limitations on package size and way around those limitations.
On iOS, the packages over 20 MB are not downloaded over cellular data link; but people can get them over WiFi or wire (via a desktop computer with iTunes software). By making an overlarge package, you'll surely lose downloads.
On Android, the package size limit is 50 MB, but you can register additional APKs and download them as necessary (look it up).
On either platform you can ship the app without a database and on the first run, pop a "Please wait" window and download it over regular HTTP. Some apps that I know do exactly that.
The tricky part would be updating. Applications are not supposed to install code. That means - no updating itself. The proper channel for app updates is Google Play and iTunes, respectively. You're free to download and install an updated database anytime, though - as long as you code the necessary HTTP access.
When developing an iOS app one can register or claim an app name by creating an entry in iTunesConnect and supplying placeholder descriptions and screenshots. Is there a similar process in the Android app store?
I'm not interested in squatting on app names. I'm just porting an iOS app to Android and I'd like to have an identical app name.
I dont think there is an equivalent in the android ecosystem. Here are a couple of suggestions which may not guarantee the name, but may help in some ways.
1) You can publish a bare minimum app with the correct package name (like com.company.appname). But I think the actual app name part will still be pretty open.
2) Another way may be to buy a .com domain for your app (if it is still available). It may sound far fetched but I believe (I may be wrong) people take that into account to avoid getting into trademarks & copyrights issues. If you have an app that is good enough for being published in multiple platforms, then buying a domain makes sense.
I have seen so many threads on creating a time bound trial versions for an android apps but none of them seems to fulfill my purpose.
Few days back i Launched the paid version of my app and now I want to come up with trial version which i dont want to be crippled from any side. So i want to have a time bound limitation on the trial version. I have created a different Package name for the same. Earlier I was using LVL and now also I am using the same except that i created new license library and changed the
setValidityTimestamp(extras.get("VT"));
to
setValidityTimestamp(String.valueOf(System.currentTimeMillis() + (5* MILLIS_PER_MINUTE))); in ServerManagedPolicy.
so that i can test if trial version works for 5 mins and then give me the license error. I published it on the app store , downloaded it and then found that it was still working beyond 5 mins. Now i have unpublished it. Can someone help me in creating the better time bound application which a user can run for a week (say). Besides he should not be able to uninstall and re-install it and then again use it permanently. I know if i can write the info to some external file but again the file can be deleted from sd card and application can be made accesible to the user free for lifetime.
Regards
Pankaj
Within the current capabilities of LVL, and the degree of user control over your average handset, there is currently NO way to do this without a server-side component. Once your app is uninstalled all traces (except, as you pointed out, files you may write to the SD card, which are user-visible) are removed, so the only way to check for an uninstall/re-install is to generate a consistent, device-specific identifier and check with a server component that will either reject this as a re-install or accept it as a new time trial. Even this can possibly be spoofed by a dedicated customer (depending on the server-side component behavior), so you would need to engineer your software so that your server-side component is a necessary part of the process (i.e. it isn't just a license check, it is actually part of the application's functionality).
If you come up with something that works I'd love to hear about it, but I'd say you're out of luck.
#Femi is right, you need a server side component to make always work. What I tend to do is publish only a free version, and teh user buys the full version as in-app-purchase. The IAP server is your server side check if the use purchased the upgrade or not. You can store a pref on first use to know when the user started using the app. If users uninstall and install again your app, they get a new trail period, but this is annoying, and few will do it to save a few bucks. If you add a message in the app where you ask user nicely to upgrade, or have ads that are removed once you upgrade, it is a good enough solution.